02-28-2010 10:36 AM - edited 03-04-2019 07:39 AM
Hi,
My requirement is to have PBR applied on VRF interface, is it possible? When I apply PBR on VRF interface I get following error:
% Policy Based Routing is NOT supported for VRF interfaces
% IP-Policy can be used ONLY for marking (set/clear DF bit) on VRF
In my case it is LAN interface where I have to apply PBR.
Please find the following config, this will help to understand the scenerio better.
******************************
ip cef
!
ip vrf VPN_C
rd 2:2
route-target export 10:10
route-target import 40:10
!
ip vrf VPN_A
rd 103:103
route-target export 20:20
route-target import 40:10
!
ip vrf LAN_VRF
rd 64513:40
route-target export 40:10
route-target import 10:10
route-target import 20:20
route-target import 30:30
!
ip vrf VPN_B
rd 102:102
route-target export 30:30
route-target import 40:10
!
interface FastEthernet0/0
ip vrf forwarding LAN_VRF
ip address 192.168.1.81 255.255.255.240
ip policy route-map PBR
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface Serial1/0
no ip address
encapsulation frame-relay IETF
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/0.1 point-to-point
!
interface Serial1/0.2 point-to-point
description VPN_B
ip vrf forwarding VPN_B
ip address 172.31.153.214 255.255.255.252
frame-relay interface-dlci 301
!
interface Serial1/0.3 point-to-point
description VPN_C
ip vrf forwarding VPN_C
ip address 172.31.153.166 255.255.255.252
frame-relay interface-dlci 302
!
interface Serial1/0.4 point-to-point
description VPN_A
ip vrf forwarding VPN_A
ip address 172.30.253.214 255.255.255.252
frame-relay interface-dlci 303
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
no dce-terminal-timing-enable
!
router eigrp 1
no auto-summary
!
address-family ipv4 vrf LAN_VRF
redistribute connected metric 10000 100 255 1 1500
redistribute bgp 64513 metric 10000 100 255 1 1500
network 192.168.1.81 0.0.0.0
auto-summary
autonomous-system 1
exit-address-family
!
router bgp 64513
no synchronization
bgp router-id 1.1.1.1
bgp log-neighbor-changes
no auto-summary
!
address-family ipv4 vrf VPN_B
neighbor 172.31.153.213 remote-as 65000
neighbor 172.31.153.213 activate
no synchronization
exit-address-family
!
address-family ipv4 vrf LAN_VRF
redistribute eigrp 1
no synchronization
exit-address-family
!
address-family ipv4 vrf VPN_A
neighbor 172.30.253.213 remote-as 65000
neighbor 172.30.253.213 activate
no synchronization
exit-address-family
!
address-family ipv4 vrf VPN_C
neighbor 172.31.153.165 remote-as 65000
neighbor 172.31.153.165 activate
no synchronization
exit-address-family
!
!
!
ip http server
no ip http secure-server
!
ip access-list extended VPN_B
permit ip host 90.0.0.1 host 150.0.0.1
ip access-list extended VPN_A
permit ip host 80.0.0.1 host 150.0.0.1
!
!
route-map PBR permit 10
match ip address VPN_A
set interface Serial1/0.4
!
route-map PBR permit 20
match ip address VPN_B
set interface Serial1/0.2
!
route-map PBR permit 30
**********************************************
Please advice how can I achive my purpose in this scenrio?
02-28-2010 11:28 AM
Hello Ashish,
I don't know what version of IOS you are running but it is supported in 12.4(24)T and 12.2(33)SXH.
Have a look at this document for more info on how to configure it:
http://www.cisco.com/en/US/docs/ios/mpls/configuration/guide/mp_mltvrf_slct_pbr.html#wp1105776
HTH
Reza
02-28-2010 12:43 PM
Thanks Reza, it is working...I have tested it.
Actually I have ISR with IOS ver 15.1. It is works on it also.
Ashish
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide